From: Vladimír Čunát Date: Mon, 24 Apr 2017 17:31:53 +0000 (+0200) Subject: Merge branch 'master' into ad-refactor X-Git-Tag: v1.3.0~23^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9e001dfe3eec4a41a8cb7ba4860463d98f7b87c;p=thirdparty%2Fknot-resolver.git Merge branch 'master' into ad-refactor --- b9e001dfe3eec4a41a8cb7ba4860463d98f7b87c diff --cc lib/layer/rrcache.c index 74ce75a42,d5d908a3b..dccd01a5e --- a/lib/layer/rrcache.c +++ b/lib/layer/rrcache.c @@@ -178,21 -109,29 +178,36 @@@ static int loot_rrcache(struct kr_conte ret = loot_rr(cache, pkt, qry->sname, qry->sclass, rrtype, qry, &rank, &flags, 0, lowest_rank); } - /* Record is flagged as INSECURE => doesn't have RRSIG. */ - if (ret == 0 && (rank & KR_RANK_INSECURE)) { + if (ret) { + return ret; + } + + if (kr_rank_test(rank, KR_RANK_INSECURE)) { qry->flags |= QUERY_DNSSEC_INSECURE; qry->flags &= ~QUERY_DNSSEC_WANT; - /* Record may have RRSIG, try to find it. */ - } else if (ret == 0 && dobit) { + } + + /* Record may have RRSIGs, try to find them. */ + const bool dobit = (qry->flags & QUERY_DNSSEC_WANT); + if (cdbit || (dobit && kr_rank_test(rank, KR_RANK_SECURE))) { + kr_rank_set(&lowest_rank, KR_RANK_INITIAL); /* no security for RRSIGs */ ret = loot_rr(cache, pkt, qry->sname, qry->sclass, rrtype, qry, &rank, &flags, true, lowest_rank); + if (ret) { + VERBOSE_MSG(qry, "=> RRSIG(s) expected but not found, skipping"); + /* In some cases, e.g. due to bugs, this may fail. + * A possible good example is that a cache backend + * (such as redis) chose to evict RRSIG but not RRset. + * Let's return cache failure, but the packet has been + * updated already by the RRs! Let's try to clear it. + * The following command might theoretically fail again + * while parsing question, but let's just log that + * condition in non-debug mode (it might be non-fatal). */ + if (kr_pkt_clear_payload(pkt)) { + kr_log_error("[ rc ] => ERROR: work-around failed\n"); + assert(false); + } + } } return ret; }